9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.3 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.012 Low
EPSS
Percentile
85.2%
Issue Overview:
Artifex Ghostscript before 9.25 allowed a user-writable error exception table, which could be used by remote attackers able to supply crafted PostScript to potentially overwrite or replace error handlers to inject code. (CVE-2018-17183)
Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving errorhandler setup. NOTE: this issue exists because of an incomplete fix for CVE-2018-17183. (CVE-2018-17961)
Artifex Ghostscript allows attackers to bypass a sandbox protection mechanism by leveraging exposure of system operators in the saved execution stack in an error object. (CVE-2018-18073)
Artifex Ghostscript 9.25 and earlier allows attackers to bypass a sandbox protection mechanism via vectors involving the 1Policy operator. (CVE-2018-18284)
In Artifex Ghostscript through 9.25, the setpattern operator did not properly validate certain types. A specially crafted PostScript document could exploit this to crash Ghostscript or, possibly, execute arbitrary code in the context of the Ghostscript process. This is a type confusion issue because of failure to check whether the Implementation of a pattern dictionary was a structure type. (CVE-2018-19134)
An issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is not checked correctly if another device is used. (CVE-2018-19409)
psi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because available stack space is not checked when the device remains the same. (CVE-2018-19475)
psi/zicc.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a setcolorspace type confusion. (CVE-2018-19476)
psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a JBIG2Decode type confusion. (CVE-2018-19477)
A flaw was found in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass -dSAFER
restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14811)
A flaw was found in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass -dSAFER
restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14812)
A flaw was found in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass -dSAFER
restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14813)
A flaw was found in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass -dSAFER
restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands. (CVE-2019-14817)
A flaw was found in the .charkeys
procedure, where it did not properly secure its privileged calls, enabling scripts to bypass -dSAFER
restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges within the Ghostscript and access files outside of restricted areas or execute commands. (CVE-2019-14869)
It was found that the superexec operator was available in the internal dictionary. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. (CVE-2019-3835)
It was found that the forceput operator could be extracted from the DefineResource method. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. (CVE-2019-3838)
It was found that some privileged operators remained accessible from various places after the CVE-2019-6116 fix. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. (CVE-2019-3839)
It was found that ghostscript could leak sensitive operators on the operand stack when a pseudo-operator pushes a subroutine. A specially crafted PostScript file could use this flaw to escape the -dSAFER protection in order to, for example, have access to the file system outside of the SAFER constraints. (CVE-2019-6116)
Affected Packages:
ghostscript
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update ghostscript to update your system.
New Packages:
aarch64:
ghostscript-9.25-5.amzn2.aarch64
libgs-9.25-5.amzn2.aarch64
libgs-devel-9.25-5.amzn2.aarch64
ghostscript-gtk-9.25-5.amzn2.aarch64
ghostscript-cups-9.25-5.amzn2.aarch64
ghostscript-debuginfo-9.25-5.amzn2.aarch64
i686:
ghostscript-9.25-5.amzn2.i686
libgs-9.25-5.amzn2.i686
libgs-devel-9.25-5.amzn2.i686
ghostscript-gtk-9.25-5.amzn2.i686
ghostscript-cups-9.25-5.amzn2.i686
ghostscript-debuginfo-9.25-5.amzn2.i686
noarch:
ghostscript-doc-9.25-5.amzn2.noarch
src:
ghostscript-9.25-5.amzn2.src
x86_64:
ghostscript-9.25-5.amzn2.x86_64
libgs-9.25-5.amzn2.x86_64
libgs-devel-9.25-5.amzn2.x86_64
ghostscript-gtk-9.25-5.amzn2.x86_64
ghostscript-cups-9.25-5.amzn2.x86_64
ghostscript-debuginfo-9.25-5.amzn2.x86_64
Red Hat: CVE-2018-17183, CVE-2018-17961, CVE-2018-18073, CVE-2018-18284, CVE-2018-19134, CVE-2018-19409, CVE-2018-19475, CVE-2018-19476, CVE-2018-19477, CVE-2019-14811, CVE-2019-14812, CVE-2019-14813, CVE-2019-14817, CVE-2019-14869, CVE-2019-3835, CVE-2019-3838, CVE-2019-3839, CVE-2019-6116
Mitre: CVE-2018-17183, CVE-2018-17961, CVE-2018-18073, CVE-2018-18284, CVE-2018-19134, CVE-2018-19409, CVE-2018-19475, CVE-2018-19476, CVE-2018-19477, CVE-2019-14811, CVE-2019-14812, CVE-2019-14813, CVE-2019-14817, CVE-2019-14869, CVE-2019-3835, CVE-2019-3838, CVE-2019-3839, CVE-2019-6116
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 2 | aarch64 | ghostscript | < 9.25-5.amzn2 | ghostscript-9.25-5.amzn2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | libgs | < 9.25-5.amzn2 | libgs-9.25-5.amzn2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | libgs-devel | < 9.25-5.amzn2 | libgs-devel-9.25-5.amzn2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | ghostscript-gtk | < 9.25-5.amzn2 | ghostscript-gtk-9.25-5.amzn2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | ghostscript-cups | < 9.25-5.amzn2 | ghostscript-cups-9.25-5.amzn2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | ghostscript-debuginfo | < 9.25-5.amzn2 | ghostscript-debuginfo-9.25-5.amzn2.aarch64.rpm |
Amazon Linux | 2 | i686 | ghostscript | < 9.25-5.amzn2 | ghostscript-9.25-5.amzn2.i686.rpm |
Amazon Linux | 2 | i686 | libgs | < 9.25-5.amzn2 | libgs-9.25-5.amzn2.i686.rpm |
Amazon Linux | 2 | i686 | libgs-devel | < 9.25-5.amzn2 | libgs-devel-9.25-5.amzn2.i686.rpm |
Amazon Linux | 2 | i686 | ghostscript-gtk | < 9.25-5.amzn2 | ghostscript-gtk-9.25-5.amzn2.i686.rpm |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.3 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.012 Low
EPSS
Percentile
85.2%